This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: pdoc < 14.5.1 uses a compromised CDN (`polyfill.io`) for math documentation. <br>β οΈ **Consequences**: Malicious code injection via third-party dependency. Risk of XSS or supply chain attack.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE-1395**: Use of Third-Party Components Containing a Known Vulnerable Component. <br>β **Flaw**: Hardcoded link to an insecure CDN in `pdoc --math` command output.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: `mitmproxy/pdoc` versions **before 14.5.1**. <br>π¦ **Component**: Python API documentation generator using math rendering.
Q4What can hackers do? (Privileges/Data)
π» **Hackers Can**: Inject malicious JavaScript into generated docs. <br>π **Impact**: Execute arbitrary code in user's browser (XSS), steal session data, or redirect traffic.
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: Low. <br>π **Auth**: None required (PR:N). <br>π±οΈ **UI**: User interaction needed to view generated docs, but the vector is Network (AV:N).
π **Self-Check**: Scan for scripts loading from `polyfill.io` in generated HTML. <br>π οΈ **Tools**: Use `pollyscan` or Nuclei `CVE-2024-38526.yaml` template to automate detection.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes. <br>π¦ **Patch**: Upgrade to **pdoc 14.5.1** or later. <br>π **Ref**: GitHub PR #703 and Security Advisory GHSA-5vgj-ggm4-fg62.
Q9What if no patch? (Workaround)
π§ **Workaround**: Disable `--math` flag if possible. <br>π« **Block**: Block `polyfill.io` domain at firewall/proxy level. <br>π **Audit**: Review generated docs for external script tags.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: High. <br>β‘ **Priority**: Immediate patching recommended. <br>π **Risk**: Supply chain attacks are critical; do not ignore third-party CDN risks.